Darkside have compromised an Irish network this time. Details below. They apparently are exploiting a flaw or loophole somewhere. Have there been any good articles on how they are doing it? Is it just windows/Citrix systems? Are people really that silly?

http://www.hse.ie got brought down over the weekend. It was a ransomware attack. They were apparently trying to lock all the server data, and everything was shut down by sysadmins.
The Irish Government has made it clear no ransom would be paid, so they must have a good backup system. They don't claim to know how bad it is yet.

Hse.ie is Ireland's Health Service Executive, and hospitals have a fairly integrated online presence there, so scans & test results can be updated remotely, & accessed remotely. That stuff is offline while they bring up the servers which may still have active ransomware. They'll be out for a few days at least and working on paper while they sort out the mess. Then the records will have to be updated with the paper. A good week's overtime coming for a lot of folks.

Most complex pieces of software have flaws. While some of those flaws are critical and not generally known, most systems are compromised using known exploits that haven't been patched, or even worse, using accounts with default passwords.

Yes, it is common that important or even critical systems are left for years without basic maintenance: Patches are not applied, the vendor's recommended practices are not followed, licenses are not renewed, and so on.

One may think of a criminal "hacker" as someone who carefully follows a procedure like this:

1. A desired target is selected
2. Information about the target is collected using public registers, network probes, phishing/social engineering, and even dumpster diving
3. The various network components are carefully analyzed for potential vulnerabilities
4. A cunning plan is laid to exploit said vulnerabilities
5. Various 3rd parties (low-hanging fruit) are compromised to be used as springboards so the attack can't be traced to its real origins
6. The actual attack is executed

While this does indeed happen, especially when nation state actors are trying to penetrate the infrastructure of other nations, more often than not a "hack" looks like this:

1. A group of script kiddies run a botnet that probe IP addresses at random for misconfigured or vulnerable services
2. Lists of vulnerable hosts are sold on the black market
3. Slightly more competent criminals comb through the lists for high-value targets
4. Malware is injected using readily available tools
5. The malware encrypts all data, and leaves a ransom note containing a cryptocurrency wallet address

Computer security issues are just like all other security issues: They happen because of incompetence and/or lack of awareness.

I got to wondering, as it's been about 1 major system per week for Darkside. In case they were using some new technique or vulnerability.

The problem isn't finding a vulnerable target, the problem is getting away with it and making money in the process.

Russian law is extremely lax when it comes to computer crime directed at non-Russian actors. And cryptocurrencies have more or less solved the ransom payment issue.

As long as these guys stay in Russia and don't create problems for the government, they'll be fine. That is, until the Russian government decides to use them as a bargaining chip to get something from the Americans.

I have only ever seen one kind of malware that was significantly OS independent. Nearly all of it is Windows malware. While it is possible to craft malware for Linux (Unix malware has a long and storied history) it has become quite rare in the last 3 decades. All of the big money for the criminals will be in infecting Windows networks and domains.

Oddly enough, many corporations that have a LOT of money transfer and IT departments who KNOW and ADVISE them on the risk will not invest in a resistant network environment with a safe mixture of operating systems, policies, and procedures until they have been impacted. Some of them not even AFTER a successful attack.

The UK and Ireland has some of the finest IT resources in the world. Getting management to pay ATTENTION to them can take a VERY big stick!

The USA is in pretty much the same boat in that regard. The Obama administration was the first to really take IT seriously, and Congress was not on board. This administration is taking it seriously, but Congress is 50% AT BEST serious about this.

Politics makes TERRIBLE tech. Business degrees and sales people make TERRIBLE tech. We need Engineers and Computer Scientists in the lead on this.

1 members found this post helpful.

I wonder why that is when most servers run Linux. I would have thought that cracking a company's server would be much more lucrative than encrypting the files on personal laptops.

A vulnerability in a piece of software running on Linux/*BSD/Solaris/AIX/whatever might be instrumental in gaining access to a Windows-based network.

Let's say you compromise an anti-spam gateway, and now you can send genuine-looking e-mails appearing to come from any company e-mail address. By pretending you're an internal user, you can fool other users into opening a malicious attachment that exploit a vulnerability in Adobe Reader, or Word, or Excel, or the e-mail client itself.

And you don't have to compromise the internal file server in order to encrypt all the files, you just have to compromise a single Windows workstation that's in use by someone with write access to the data in question. In most Windows networks, network shares are mounted as drive letters and are thus readily available to any locally installed application. Or malware, as the case may be.

It really is a lot easier than most people think. (Edit: Once an exploitable vulnerability has been identified, that is.)

2 members found this post helpful.

A column in the Tampa Bay Times addresses this. Most of it is about how to protect yourself/your systems, but the writer includes an interesting bit about how hackers feel out their targets. It appears that a lot of planning goes into such attacks.

Here's a key bit:

Unfortunately it looks like it's written by someone with only superficial knowledge on the subject, which is really surprising given this line at the very bottom:Don't get me wrong, the article is generally quite good, as the author has obviously some knowledge and/or has used good sources, but then we get gems like this:No, "MAC" in this context does not refer to Media Access Control-addresses, it's an acronym for "mandatory access control", a form of access control that unfortunately isn't supported on the Windows platform.

No person in the information security field would ever make a mistake like that. I hope no-one reads that article and starts creating firewall rules tying access to MAC addresses (which incidentally is a different concept called "RBAC", rule-based access control).

And speaking of things you absolutely shouldn't do:We know what happens when you enforce this, and it does not improve security.

Instead, it will either lead to poor password quality or, if rigorous password quality mechanisms are in place, to rampant password reuse across disparate systems and/or passwords being written down on Post-It notes. And as a bonus, the helpdesk gets overrun with password reset requests.

Instead, insist that users use passphrases. This requires something like 5 minutes of training, and it's pretty simple to enforce; just require passwords to be something like 20+ characters in length. Unfortunately, some Windows services cannot handle passwords longer than 16 characters.

The article also offers some advice in the "might sound sensible at first but either doesn't work, or simply cannot be implemented" category:Changing TCP/UDP port numbers is a form of "security by obscurity", and while that isn't entirely ineffective, it will typically only buy you a few extra days (at most) before the service is detected by a scripted scanner. What it certainly does do, is inconveniencing legitimate users who have to remember random port number in addition to the service URL.I'd like to give the author of this article a week's worth of logs from a VPN concentrator and tell them to examine it for any possible security issues.

What you should do instead, is implement remote logging with automated log processing. In addition to requiring a fraction of the time and manpower, it has a chance of actually detecting a security issue. Which is why it's part of almost any IDS solution.

But I'd like to give the author credit for also providing some really, really good advice that actually goes against many older best practices recommendations:Yes, a 1000 times yes. BYOD is a disaster waiting to happen.Or any potential security issue really, like doors being propped open, or strangers wandering the hallways, or unsolicited calls where the caller tries to obtain information about employees or the IT infrastructure.

2 members found this post helpful.

May I translate that line? Somebody thinks the sun, moon and start shine out of his a** and is overpaying him. I didn't see a single mention of umasks or permissions, or care with servers. He obviously is good at reinstalling windows.

@Ser Olmy: I thought you posted a very (for me)educational critique. Yes, I have witnessed the carnage that occurs when users on Monday show up with a cumulative Weekend hangover only to discover their passwords have been changed :-). It was 11 o'clock and 3 folks out of 50ish were logged in. I'm sure nobody in this country insists on secure passwords; extremely few use VPNs; a small minority have guest networks; device encryption of separate devices are unheard of, especially phones. In fact, there's a regular trade here in 2nd hand Dell Latitudes, which were company Laptops with high specs used for a year or two by IT devs or high flyers and sold on. Such a machine could easily be purloined by any member of the opposite sex on a one-night stand - passwords and all.

A few of the organizations may do one of the long term company recommendations, maybe two, but only if it comes from the top down. It's never led by sysadmins. There's a few guys who will be fired if they install X on a server. They run the tight ships. It's also common to outsource linux maintenance here. ISPs have linux & BSD savvy guys ok.

Why can't Windows/Linux set something like that:
3 strikes you are out - come back in 15 minutes.

They can.

Now imagine how that would work if an account that's used for remote login or a web based service is the subject of a brute force password attack. How would you log on when your account is constantly being locked?

Which I would expand to include...

RE: Item 4 response. I have to totally agree on this point. I believe anyone who has lived through it from an IT, operations, or helpdesk position could not argue that point! That does not mean that password changes should not be required, but that the advice and procedure had better be well thought out and combined with other requirements to ensure security.Again I agree that Pass phrases are far more secure than simple passwords. However I prefer a slightly different solution. Where it is possible: some form of 2-factor authentication cannot be recorded on a 3m sticky note, and need not be a major budget item for the company. I prefer a solution that combines a time/standard based randomizer with a pin code or additional indentifier, but there are other secure options.

The point is that it does not take very much to improve on the simple, short, password that is vulnerable to deciphering, misuse or sharing, capture, or dictionary attacks. And on that I KNOW we agree!